FedCentral, hosted by veteran broadcaster Jane Norris, features federal executives and industry specialists exchanging insights and best practices on a wide range of issues - from cybersecurity and sustainability, to cost management and open government — to help government help America.

Email this article to a friend

Physical and Cyber Infrastructure Protection Working Together

December 6, 2012

From cyber-attacks to natural disasters, our national security faces serious
threats. Dangers to our physical and cyber infrastructure require a coordinated
effort to keep them secure. Can a "whole of nation" approach be the answer to the
increasing connectivity of physical and cyber infrastructure protection?

The following is a full transcript of FedCentral' s interview with Suzanne
Spaulding, Deputy Under Secretary, of the National Protection and Programs
Directorate, Mark Weatherford, Deputy Under Secretary for Cybersecurity, of the
National Protection and Programs Directorate, and General Harry Raduege Jr. USAF
(Ret), Chairman, The Deloitte Center for Cyber Innovation, Deloitte Services LP,
conducted by Jane Norris on December 6, 2012.

Jane Norris
Welcome to FedCentral brought to you by Deloitte, a program where executives and
federal government leaders talk about the issues and initiatives that are making a
real impact on the business of government today. To help government help America.

From cyber attacks to natural disasters, our national security faces serious
threats and danger to our physical and cyber infrastructure that requires a
coordinated approach to keep them secure. It's particularly appropriate because
December is Critical Infrastructure Protection and Resilience Month.

Joining us to discuss the increasing connectivity of physical and cyber
infrastructure and the need for a whole of nation approach are Suzanne Spaulding,
the Deputy Under Secretary for National Protection and Programs Directorate. She
oversees infrastructure protection, US visit, and the Federal Protective Service
with a mission to reduce the risk and enhance the resiliency of critical
infrastructure, secure federal facilities, and advance identity management and
verification.

Mark Weatherford is the Deputy Under Secretary for Cybersecurity for the National
Protection and Programs directorate at DHS. In that position, Mr. Weatherford
leads the department's efforts to create a safe, secure, and resilient cyberspace.
Mr. Weatherford has a wealth of experience in information technology and cyber
security at the federal, state, and private sector levels.

And Lieutenant General Harry Raduege, former director of the Defense Information
Systems Agency, and a four-time federal agency CIO. He's now the Chairman of the
Deloitte Center for Cyber Innovation and a Director with Deloitte Services. Thank
you all for being here. It's great to see you all.

Mark Weatherford
Thank you, Jane.

Harry Raduege
Thank you, Jane. It's great to be here.

Jane Norris
Suzanne, I'm going to start with you. So tell us, what is the National Protection
and Program Directorate's mission and how does it correspond with the intersection
of cyber and physical security?

Suzanne Spaulding
Jane, the NPPD leads the Department of Homeland Security's mission to enhance the
protection and resilience of our nation's critical infrastructure - you know, the
energy, transportation, communications, water, financial services - those things
which really form the backbone of our way of life. And what we have found is:
these sectors have systems that are increasingly networked. So the systems that
control key aspects of the delivery of those services to the American public are
now vulnerable to cyber attacks - and cyber attacks can produce physical
consequences.

Mark Weatherford
I would just add - one of the things that we added to the NPPD about a year ago
was a focus on cybersecurity. Within the organization, we have the Cybersecurity
and Communications organization, which is responsible for coordinating with not
only the federal government - but state and local governments, and the private
sector, among the 18 critical infrastructures (on how we raise the bar on
cybersecurity, how we respond to cybersecurity events, and as Suzanne said, how we
can help build resilience into the system).

Harry Raduege
Well, let me just ask: it seems now that we're recognizing that cyber and physical
security are gradually becoming more connected, making us increasingly vulnerable.
So what is the history and why are they becoming increasingly connected?

Mark Weatherford
I think there are a couple of reasons for that. Certainly the efficiencies that
digital technology has brought to the mix provides a lot of economic incentives
for companies to bring the digital technology into infrastructures and
organizations and businesses that historically have not depended on that digital
infrastructure. Those digital infrastructures that we're now overlaying on those
critical infrastructures bring along with it a lot of the same vulnerabilities and
are susceptible to the same threats that we see in other areas of our economy.

Suzanne Spaulding
So, Harry, we've talked about the consequences, physical consequences, from a
cyber attack; but it's also the case that you can't have effective cybersecurity,
in most cases, without having effective physical security - because we have to
consider not only remote attacks, but also the insider threat, and gaining
physical access to your IT systems. In addition, physical security systems are
among those systems that are now vulnerable to cyber-attacks because they, too,
are networked, and so your security surveillance cameras, for example, are now
potentially susceptible to remote access, and that threatens your physical
security, so these are in many ways inexorably intertwined.

Harry Raduege
Well, this really makes perfect sense to me. I don't think we've really
recognized the fact of the closeness of the physical and the cyber security in the
past, and I'm glad that both of you are working so closely in this exciting area
to bring these together. So Mark, what technology trends are you seeing now that
support this evolving intersection of cyber and the physical threats that we're
seeing today?

Mark Weatherford
Well, there are a number of ways you could address that, but certainly the growing
use of embedded systems. Embedded systems are really in all facets of our
society, and while they're not computers, they act much like computers and they
can react like computers. So the growing ubiquitousness of these embedded systems
(that really are in everything from cars and airplanes to substations and water
treatment plants and auto manufacturing) - everything has these embedded systems.
As I mentioned earlier, they have potential vulnerabilities that can be used for
disruption.

So the embedded systems are certainly one of the technology trends where I think
we're seeing an evolving intersection. The growing use of wireless is something
that we're seeing more and more of. These systems, many of them are located in
remote locations. There's a growing use of wireless technology to manage these
things remotely. So there's a variety of different technologies and things that,
in fact, do play a part in that intersection of physical and cyber.

Harry Raduege
Well, on the heels of Hurricane Sandy which we've all experienced here as a nation
- and are still experiencing, I might add - the results of it all. Add to that,
recent reports of vulnerabilities to the nation's electric grids... Are there
certain sectors or threats that keep you up at night from a physical and a cyber
perspective?

Mark Weatherford
Well, I wouldn't say there's one that maybe is more important than others;
although, some are certainly more visible than others (e.g., the electricity
sector, as I mentioned a minute ago, the water sector, communications sector -
they're all a bit more tangible, and people can see and touch and feel and smell
them). Those are certainly things that I worry a lot about. From a threat
perspective, we've recently seen attacks on the financial systems in America, and
actually relatively low level technology attacking, but the response that it
required from both the public and the private sector to address that has been
pretty remarkable. So those kinds of things, you think that everything is high-
tech and whiz-bang, and in fact, it can be something fairly trivial from a
technology perspective that can cause some significant disruption.

Harry Raduege
So it sounds like these critical infrastructures are the ones that are your
biggest concern.

Mark Weatherford
Well, they are. I mean, that's what the job at DHS is about, protecting the
homeland, and those services and systems and technologies that society and our
citizens depend on for health and safety and welfare—those are the things that I
focus on, and those things that keep me awake at night, as you say.

Harry Raduege
Great. Well, Suzanne, how about from your perspective?

Suzanne Spaulding
Well, one of the things we spend a good deal of time on is assessing, gathering
data, and doing analysis to help prioritize critical infrastructure. Asking: what
are the most essential? What are the ones where we have to really focus and
allocate resources? And in order to do that, you have to understand the
consequences if you lose that asset, facility, network, or system. Then work your
way back from that in terms of figuring out what are the highest priorities which
highlights the need for a holistic approach. You can't look at cybersecurity and
prioritize on cybersecurity without assessing the physical consequences that will
result from a cyber penetration or cyber attack.

Harry Raduege
Great. Well, Mark, you and Suzanne have been working very, very hard over there.
How is DHS helping to set the example for best practices and connecting cyber and
physical security? Are there ways that you can share publicly with us here during
our broadcast?

Suzanne Spaulding
Harry, we have made a concerted effort to ensure that we are not working in
stovepipes here. We have a cyber security organization and an infrastructure
protection organization that is traditionally focused on physical security, and we
have made concerted efforts to ensure we're taking an integrated approach, and one
of the specifics is: we have set up an integrated analysis task force. That task
force draws on expertise from the cyber side of the house and the physical
security side of the house to do the kind of modeling and analysis that I've been
talking about. There you assess the consequences in the physical world, and the
cross-sector consequences. So you're not looking just at one sector, but the
dependencies between sectors. So that's all the sectors that rely on electricity,
all the sectors that rely on transportation, and communications.

Harry Raduege
That's great. You've been doing some great work there Suzanne, and Mark, can you
add to that, please?

Mark Weatherford
Yeah, we also have, I think another very successful thing that DHS is doing. We
have our people scattered around the country in the different FEMA regions working
with the private sector. They're doing assessments on the ground; incorporating
both physical security and cybersecurity components to those assessments. They're
working in sync, as I said. Both the private sector and state and local
governments - people literally across the country. It's probably one of the
growing services that we are providing for the nation out of DHS. I've been
around the country talking quite a bit lately. This is the one issue that's
coming up, a lot that people are more and more interested in how we can help them
on that from that perspective.

Harry Raduege
Well, you both have given us some great thoughts and ideas on the way that DHS is
now taking a look at both the physical and the cyber areas of our critical
infrastructure and how to protect that to the best of our ability.